Grrr… IPv6 and DNS Vulnerabilities

We’ve received lots of questions from customers, journalists and bloggers about a recent paper that was released which outlines two different vulnerabilities for commercial VPNs. The paper also tested different VPN services including TunnelBear against the vulnerabilities. Along with many of the companies, TunnelBear was listed as vulnerable to these attacks. Below is a summary of the actions we have already taken and will be taking to address the vulnerabilities.

It’s important to note that TunnelBear has been working on the long-term solution to these problems for quite awhile. However, this paper rightfully highlights the risks of these vulnerabilities and that our temporary solutions could and should have been rolled out sooner.

We will continue to update this blog post with the latest information and additional technical analysis.

Summary

There are two different vulnerabilities listed – IPv6 leakage and DNS Hijacking. The table below summarizes the vulnerabilities and our response.

IPv6 Leakage

DNS Hijack

Description

By falsely advertising IPv6 availability a malicious local network (e.g. Wi-Fi router) could redirect IPv6 traffic to take a path outside of the VPN tunnel

By triggering a configuration change in your device network interface, a malicious local network device (e.g. Wi-Fi router) could redirect traffic to take the path outside of the VPN tunnel

Risk

Your IPv6 traffic would not be going through the encrypted VPN tunnel

Once “hijacked” a malicious party could monitor a user’s DNS requests

TunnelBear Actions

iOS – No action required
Windows – TunnelBear released an update which should temporarily block IPv6 traffic in March 2015 (version 2.3.13).
OS X – TunnelBear is testing an update which blocks IPv6 traffic. Update imminent.
Additional Network Changes
In addition to app updates, we are adding an additional layer of IPv6 protection on our servers. The change will explicitly route all IPv6 traffic through the VPN tunnel where it will be blocked on the server. This will eliminate IPv6 vulnerability until full IPv6 support is rolled out. It will also protect legacy clients while they are updated.

TunnelBear is rolling out a network change such that our DNS servers maintain the same address as our VPN servers. This will prevent the attack outlined in the paper as the conflicting DNS locations will cause the connection to fail in an obvious way to alert the user of such an attack.

User Actions

Install updates as they become available, however all clients should be protected within the next 48 hours with server changes.

No action required, a change to our network will prevent the DNS vulnerability within the next business week.

Moving Forward

IPv6

To prevent any possible issues, IPv6 is now blocked on TunnelBear's clients and network.

DNS

TunnelBear routes all traffic through our internal DNS servers. Once you're safely snuggled in your tunnel, your DNS traffic is encrypted, like everything else you do while tunneling, so only you know what queries are being sent. To learn more about TunnelBear DNS just visit our TunnelBear DNS blog post.

We welcome additional feedback from the paper authors and the community on the vulnerabilities. We will provide updates and additional information as it becomes available on this post.